tag:blogger.com,1999:blog-15467161570776153742009-08-01T17:05:08.515+03:00TwitPwn(ab)using twitter since 2008!avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.comBlogger37125tag:blogger.com,1999:blog-1546716157077615374.post-26110520896093022392009-08-01T11:03:00.003+03:002009-08-01T17:05:08.527+03:00MoTB #31: Twitter Integrated Search Reflected XSS<strong>What is Twitter Search<br /></strong>"There is an undeniable need to search, filter, and otherwise interact with the volumes of news and information being transmitted to Twitter every second. Twitter Search helps you filter all the real-time information coursing through our service." (Twitter Search <a target="_blank" href="http://search.twitter.com/about">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Because Twitter Search is now integrated within Twitter, you can now actually preform <b>any</b> Twitter action in the book.<br /><br /><br /><strong>Popularity rate<br /></strong>Integrated search = All web users = <a href="http://twitstat.com/churn.html" target="_blank">60% of all Twitter users</a> - 5 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the Integrated Search feature.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The Integrated search, as well as it's JSON search.html page, did not encode HTML entities, which could have allowed the injection of scripts. <br />The vulnerability was also submitted by Laurent Gaffie and Pierre Gardenat. The idea to look at the JSON search.html page came from <a target="_blank" href="http://www.threatpost.com/weblog/ones_and_zeros">Ryan Naraine</a>.<br />This vulnerability could have been used by an attacker to take control of its victims Twitter accounts, as well as to create a massive Twitter worm.<br /><strong>Proof-of-Concepts</strong>: <br />http://twitter.com/home#search?q=%3Cimg%20src%3D%22.%22%20onerror%3Dalert%28%22xss%22%29%3E<br />http://integratedsearch.twitter.com/search.html?callback=%3Cscript%3Ealert(%22xss%22)%3C/script%3E&layout=none&locale=en&page=1&q=aslkjdlaskdjlaksjdlaksjdasd<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/TwitterXSS.png"><img border="0" src="http://twitpwn.com/motb/images/TwitterSearchPwn.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />Twitter's responsiveness, especially of Alex Payne, was great throughout Month of Twitter Bugs. The vulnerabilities were fixed in less than 24 hours. If I could give them 6 twits, I would. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-2611052089609302239?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/grQ4-Xs5tEk" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/08/motb-31-twitter-integrated-search.htmltag:blogger.com,1999:blog-1546716157077615374.post-32138367909950970842009-07-31T18:23:00.006+03:002009-07-31T18:52:13.967+03:00MoTB #30: TweetDeck Insecure Communication Vulnerability<strong>What is TweetDeck<br /></strong>"TweetDeck is your personal browser for staying in touch with what’s happening now, connecting you with your contacts across Twitter, Facebook and more. TweetDeck shows you everything you want to see at once, so you can stay organised and up to date." (TweetDeck <a target="_blank" href="http://tweetdeck.com/beta/about/">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>TweetDeck can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.<br />TweetDeck is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />The most popular Twitter clients. 2nd place in the <a href="http://twitstat.com/churn.html" target="_blank">most used twitter clients</a>, with 25.6% usage in the past week - 5 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerability</strong>: Insecure communication vulnerability when displaying videos.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: TweetDeck does not use a secure communication when it displays videos inline (e.g. using <a href="http://qik.com" target="_blank">Qik</a>). An attacker who controls the victim's network (e.g. via public WiFi, compromised DNS servers, etc.) can tamper with the request to the video website and replace it with a rogue content (e.g. display a fake malicious update request). <br />This vulnerability can be used by an attacker to install malware on its victims machines.<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/TweetDeckPwn.png"><img border="0" src="http://twitpwn.com/motb/images/TweetDeckPwn.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vendor has confirmed this as a vulnerability. They are working with their partners (Qik and 12seconds) in order to replace the current HTTP connection with HTTPS. While the vendor have yet to fix the vulnerability, they were very responsive and have promised to release a patch as soon as their partners will implement SSL on their websites. Almost Good - 3.5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit2.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-3213836790995097084?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/O3O1dn85SbE" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-30-tweetdeck-insecure.htmltag:blogger.com,1999:blog-1546716157077615374.post-74308724698033893252009-07-29T17:45:00.004+03:002009-07-29T17:56:36.462+03:00MoTB #29: Reflected XSS in chart.ly<strong>What is chart.ly<br /></strong>"Share stock charts on Twitter" (chart.ly <a target="_blank" href="http://chart.ly/">home page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>chart.ly can be used to send tweets and follow other twitter users.<br />chart.ly is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />A not so popular alternative to StockTwits - 1 twit<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the Search page.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: The chart.ly search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.<br />This vulnerability can used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://chart.ly/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E<br /><br /><br /><strong>Vendor response rate</strong><br />The vendor did not respond to any of the emails I sent during the past week - 0 twits.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-7430872469803389325?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/rbF2mqsdsv4" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-29-reflected-xss-in-chartly.htmltag:blogger.com,1999:blog-1546716157077615374.post-23118191174492303832009-07-29T17:36:00.004+03:002009-07-29T17:52:00.471+03:00MoTB #28: Reflected XSS vulnerability in tweetburner<strong>What is tweetburner<br /></strong>"Tracking the links that you share on Twitter" (tweetburner <a target="_blank" href="http://tweetburner.com/">home page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>tweetburner can be used to send tweets with the shortened URLs through a form on their website.<br />tweetburner is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />Yet another Twitter shortening service. Not as popular as others in this market - 2 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the shortened URL creation page.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: The tweetburner shortened URL creation page does not encode HTML entities in the "url" variable, which can allow the injection of scripts.<br />This vulnerability can be used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://tweetburner.com/links/create?url=%3Cscript%3Ealert(%22xss%22)%3C/script%3E<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB28_tweetburner.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB28_tweetburner.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vendor did not respond to any of the emails I sent during the past week - 0 twits.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-2311819117449230383?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/b6PudORvaZ4" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com2http://www.twitpwn.com/2009/07/motb-18-reflected-xss-vulnerability-in.htmltag:blogger.com,1999:blog-1546716157077615374.post-65924662032712377542009-07-27T19:57:00.002+03:002009-07-27T20:07:47.265+03:00MoTB #27: Reflected XSS in Posterous<strong>What is Posterous<br /></strong>"We love sharing thoughts, photos, audio, and files with our friends and family, but we didn't like how hard it was... so we made a better way. That's posterous. " (Posterous <a target="_blank" href="http://posterous.com/about">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Posterous can be used to send tweets by sending posts via email, or posting comments on existing posts.<br />Posterous is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate<br /></strong>25th place in the <a href="http://twitstat.com/churn.html" target="_blank">most used twitter clients</a> list, accordint to "TwitStat" - 3.5 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit2.png" /><br /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the Search page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The Posterous search page did not encode HTML entities in the "search" variable, which could have allowed the injection of scripts.<br />This vulnerability could have been used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concepts</strong>: http://avivra.posterous.com/?sort=bestmatch&search=testing%22%3E%3Cscript%3Ealert%28%22xss%22%29%3B%3C%2Fscript%3E<br />http://posterous.com/explore/?search=xxx%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E<br /><strong>Screenshots</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB27_posterous.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB27_posterous.png" width=341 height=247 /></a><br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB27_posterous_2.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB27_posterous_2.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerability was fixed 12 hours after it has been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-6592466203271237754?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/r9iGu179FU4" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com1http://www.twitpwn.com/2009/07/motb-27-reflected-xss-in-posterous.htmltag:blogger.com,1999:blog-1546716157077615374.post-37732141473883278262009-07-26T21:09:00.002+03:002009-07-26T21:34:26.341+03:00MoTB #26: Reflected XSS in Tweeple Pages<strong>What is Tweeple Pages<br /></strong>"Tweeple Pages is a user powered directory of Twitter users organized by their interests. Simply allow the Tweeple Pages application access and you can start discovering other users with similar interests as you!" (Tweeple Pages <a target="_blank" href="http://tweeplepages.com/about.php">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Tweeple Pages can be used to follow and unfollow other twitter users.TweeTube is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate<br /></strong>Not a very popular alternative to twellow, wefollow, and other Twitter categorization services - 0.5 twits<br /><img src="http://twitpwn.com/motb/images/twit2.png" /><br /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the Search page.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: The Tweeple Pages search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.<br />This vulnerability can be used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://tweeplepages.com/search.php?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB26_tweeplepages.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB26_tweeplepages.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vendor did not respond to any of the emails I sent during the past week - 0 twits.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-3773214147388327826?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/tEsvnMA0RN8" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-26-reflected-xss-in-tweeple-pages.htmltag:blogger.com,1999:blog-1546716157077615374.post-19209599926999060022009-07-25T22:33:00.005+03:002009-07-25T23:05:59.060+03:00MoTB #25: CSRF+XSS vulnerabilities in TwitStat<strong>What is TwitStat<br /></strong><a target="_blank" href="http://www.twitstat.com/m/">TwitStat</a> provides a mobile web interface for Twitter. <br /><br /><br /><strong>Twitter effect<br /></strong>TwitStat can be used to send tweets, direct messages and follow/unfollow other Twitter users.<br />TwitStat is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />30th place in the <a href="http://twitstat.com/churn.html" target="_blank">most used twitter clients list</a>, according to “TwitStat” - 3 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerabilities</strong>: <br />1) Cross-Site Request Forgery in main update page<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The TwitStat index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the TwitStat web application. <br />This vulnerability could have been used by an attacker to send tweets on behalf of its victims.<br /><br />2) Reflected POST Cross-Site in the Search page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The TwitStat search page did not encode HTML entities in the "terms" form field, which could have allowed the injection of scripts.<br />This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.<br /><strong>Proof-of-Concept</strong>: http://www.twitstat.com/m/index.php?mode=search&terms=xxx%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB25_twitstatmobile.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB25_twitstatmobile" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerabilities were fixed 5 days after they have been reported. Moderate - 3 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-1920959992699906002?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/I2LqbGhC-vQ" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-25-csrfxss-vulnerabilities-in.htmltag:blogger.com,1999:blog-1546716157077615374.post-49290511392193205372009-07-25T02:24:00.002+03:002009-07-25T02:34:54.115+03:00MoTB #24: Reflected XSS in TweeTube<strong>What is TweeTube<br /></strong>"TweeTube was started in January 2009 after identifying a need for an easy way to share YouTube videos among your Twitter followers. We since grew to allow users to share different stuff like pictures, webcam recordings, website urls and much more to come." (TweeTube <a target="_blank" href="http://www.tweetube.com/info">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>TweeTube can be used to send tweets by uploading new videos/photos, sending them via email, or posting comments on existing videos/photos.<br />TweeTube is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate<br /></strong>Not a very popular alternative to yfrog, twitpic and other Video or Photo sharing services - 0.5 twits<br /><img src="http://twitpwn.com/motb/images/twit2.png" /><br /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the Search page.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: The TweeTube search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.<br />This vulnerability can be used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://www.tweetube.com/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB24_tweetube.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB24_tweetube.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vendor did not respond to any of the emails I sent during the past week - 0 twits.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-4929051139219320537?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/L7ipkS5SvVs" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-24-reflected-xss-in-tweetube.htmltag:blogger.com,1999:blog-1546716157077615374.post-51778582896948143152009-07-23T21:11:00.005+03:002009-07-23T21:33:31.242+03:00MoTB #23: TwitterCounter/TwitterRemote Reflected XSS vulnerabilities<strong>What is TwitterCounter<br /></strong>"Just as TwitterCounter could be described as Feedburner for Twitter you could say that TwitterRemote is like MyBlogLog for Twitter. " (TwitterCounter <a target="_blank" href="http://twittercounter.com/pages/about">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>TwitterCounter can be used to send new tweets and reply to other Twitter users.<br />TwitterCounter is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate<br /></strong>Over 830,000 unique visitors per month (<a href="http://siteanalytics.compete.com/twittercounter.com/" target="_blank">According to Compete</a>) - 4 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><br />1) <strong>Vulnerability</strong>: Reflected Cross-Site Scripting in the Country page.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: The TwitterCounter country page does not encode HTML entities in the "timezone" variable, which can allow the injection of scripts.<br />The vulnerability was also submitted, and <a href="http://security-sh3ll.blogspot.com/2009/07/xss-flaws-and-redirect-on-tweetmeme-and.html" target="_blank">publicly disclosed</a> by d3v1l.<br />This vulnerability can be used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://twittercounter.com/pages/country?time_zone=XXX%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB23_twittercounter_2.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB23_twittercounter_2.png" width=341 height=247 /></a><br /><br />2) <strong>Vulnerability</strong>: Reflected Cross-Site Scripting in the iframe.php page.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: The TwitterRemote iframe.php page does not encode HTML entities in the query variables, which can allow the injection of scripts.<br />This vulnerability can be used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://twittercounter.com/remote/iframe.php?username_owner=xxx&users_id=3351429&nr_show=6&hr_color=cccccc&a_color=709cb2&bg_color=;color:expression(alert('xss'))<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB23_twittercounter_1.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB23_twittercounter_1.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vendor did not respond to any of the emails I sent during the past week - 0 twits.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-5177858289694814315?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/IgkglD9Q2zU" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-23-twittercountertwitterremote.htmltag:blogger.com,1999:blog-1546716157077615374.post-53744722546065535272009-07-22T21:30:00.006+03:002009-07-22T21:58:00.679+03:00MoTB #22: CSRF in StockTwits<strong>What is StockTwits<br /></strong>"StockTwits is an open, community-powered idea and information service for investments. Users can eavesdrop on traders and investors, or contribute to the conversation and build their reputation as savvy market wizards. The service takes financial related data - using Twitter as the content production platform - and structures it by stock, user, reputation, etc." (StockTwits <a target="_blank" href="http://www.stocktwits.com/about">about page</a>)<br /><br /><br /><strong>Twitter affect<br /></strong>StockTwits can be used to send tweets and follow other Twitter users.<br />StockTwits is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />82nd place <a href="http://momb.socio-kybernetics.net/labs/twitter-50" target="_blank">according to "The Museum of Modern Betas"</a>. - 2 twit<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><br /><strong>Vulnerability</strong>: Cross-Site Request Forgery in the update JSON page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The StockTwits update JSON page did not use authenticity code in order to validate that the HTTP post is coming from the StockTwits web application.<br /><strong>Screenshots</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB22_stocktwits_1.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB22_stocktwits_1.png" width=341 height=247 /></a><br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB22_stocktwits_2.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB22_stocktwits_2.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerability was fully fixed 22 hours after it has been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-5374472254606553527?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/Un7EQGQGgn8" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com1http://www.twitpwn.com/2009/07/motb-22-csrf-in-stocktwits.htmltag:blogger.com,1999:blog-1546716157077615374.post-37153459522690088752009-07-21T23:35:00.007+03:002009-07-22T00:23:05.439+03:00MoTB #21: Multiple vulnerabilities in Ping.fm<b>What is Ping.fm</b><br />"Ping.fm is a simple and FREE service that makes updating your social networks a snap!" (Ping.fm <a href="http://ping.fm">home page</a>)<br /><br /><br /><strong>Twitter affect</strong><br />Ping.fm can be used to send tweets by sending them via their website, email, or SMS.<br />Ping.fm is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate </strong><br />8th place in the <a href="http://twitstat.com/twitterclientusers.html" target="_blank">most used twitter clients</a> - 4.5 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit2.png" /><br /><br /><br /><strong>Vulnerabilities </strong><br />1) Cross-Site Request Forgery in the SMS Phone No. Settings page.<br />Status: <strong>Patched</strong>.<br />Details: Ping.fm SMS phone number settings page did not use authenticity code in order to validate that the HTTP request POST is coming from the Ping.fm web application.<br />This could have been used by an attacker to send tweets on behalf of its victims, by simply sending an SMS to Ping.fm.<br /><br />2) Reflected Cross-Site Scripting in the "Ping This!" page.<br />Status: <strong>Patched</strong>.<br />Details: The Ping.fm "Ping This!" page did not encode HTML entities in the "link" variable, which could have allowed the injection of scripts.<br />This vulnerability could have been used by an attacker to send tweets on behalf of its victims.<br /><b>Proof-of-Concept</b>: http://ping.fm/ref/?link=xxx%22+style="color:expression(document.body.onload=function(){alert('XSS')})<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB21_pingfm.png"><img src="http://twitpwn.com/motb/images/MoTB21_pingfm.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate </strong><br />The vulnerabilitles were fixed several hours after they have been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-3715345952269008875?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/nhScTebYTfM" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-21-multiple-vulnerabilities-in.htmltag:blogger.com,1999:blog-1546716157077615374.post-48803070925923062142009-07-20T21:49:00.013+03:002009-07-20T23:43:17.160+03:00MoTB #20: Insecure communication vulnerability in twhirl<strong>What is twhirl<br /></strong>"twhirl is a desktop client for the Twitter microblogging service. Most of the features available on the Twitter website are accessible through twhirl, too." (twhirl <a target="_blank" href="http://twhirl.org/about">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>twhirl can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.<br />twhirl is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />One of the most popular Twitter clients. 7th place in the <a href="http://twitstat.com/twitterclientusers.html" target="_blank">most used twitter clients</a> - 4.5 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit2.png" /><br /><br /><strong>Vulnerability</strong>: Insecure communication vulnerability in the update proccess.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: twhirl does not use a secure communication when it checks for updates. An attacker who controls the victim's network (e.g. via public WiFi, compromised DNS servers, etc.) can tamper with the request to http://www.twhirl.org/version.xml, and replace the values of both "version" and "installerURL" XML entities, in order to force a display of fake (malicious) update. <br />This vulnerability can be used by an attacker to install malware on its victims machines.<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/TwhirlPwn.png"><img border="0" src="http://twitpwn.com/motb/images/TwhirlPwn.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vendor (Seesmic) have decided not to confirm this as a vulnerability. Seesmic claims that they "do not believe this exploit is possible due to the way Adobe AIR binaries are signed at compilation time with private keys to create both an ApplicationID and a PublisherID". While this might be true, an attacker can:<br />1) Direct the user to automatically install old signed version of twhirl, and then exploit other vulnerabilities that were patched by newer versions.<br />2) Use an unsigned binary, which might cause the automatic download to fail. In this case, the user will follow twhirl's request (See above screenshot) and manually download and run the malicious executable. <br />Instead of applying a one character fix to this vulnerability (by simply adding an "s" to the HTTP request), Seesmic have decided to ignore my continuous requests to fix this vulnerability. Very poor - 0.5 twits.<br /><img src="http://twitpwn.com/motb/images/twit2.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-4880307092592306214?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/SDVcxAvb_bc" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com1http://www.twitpwn.com/2009/07/motb-20-insecure-communication.htmltag:blogger.com,1999:blog-1546716157077615374.post-71489524113419908532009-07-19T22:06:00.002+03:002009-07-19T22:28:57.896+03:00MoTB #19: CSRF+XSS vulnerabilities in Talker<strong>What is Talker<br /></strong>Talker is a Hebrew theme for Israeli twitter users (Talker <a target="_blank" href="http://www.talker.co.il/">home page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Talker can be used to send tweets, direct messages and follow/unfollow other Twitter users.<br />Talker is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />Even though it's operated by one of the biggest Israeli portals and TV channel (<a href="http://nana10.co.il" target="_blank">Nana10</a>), it has only several thousands users - 1 twit<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerabilities</strong>: <br />1) Cross-Site Request Forgery in the update forms<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: Talker update forms did not use authenticity code in order to validate that the HTTP requests are coming from the Talker web application. <br />This vulnerability could have been used by an attacker to send tweets on behalf of its victims.<br /><br />2) Reflected POST Cross-Site in the Subject page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: Talker subject page did not encode HTML entities of the subject query string, which could have allowed the injection of scripts.<br />This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB19_talker.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB19_talker.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerabilities were fixed 4 days after they have been reported to the vendor. Moderate - 3 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-7148952411341990853?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/B14ZOYmuDY0" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-19-csrfxss-vulnerabilities-in.htmltag:blogger.com,1999:blog-1546716157077615374.post-53886308177499363282009-07-18T21:20:00.004+03:002009-07-19T01:13:39.978+03:00MoTB #18: Persistent XSS vulnerability in tr.im<strong>What is tr.im<br /></strong>"tr.im is an established URL shortening service that prepares great-looking short URLs for services like Twitter. If you send URLs out on Twitter, tr.im is not only the best name, it is one of the shortest." (tr.im <a target="_blank" href="http://tr.im/website/about">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>tr.im can be used to send tweets with the shortened URLs through a form on their website.<br />tr.im is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />Yet another Twitter shortening service. Not as popular as others in this market - 2 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerability</strong>: Persistent Cross-Site in tr.im Referrer statistics page.<br /><strong>Status</strong>: <b><span style="color:red">Unpatched</span></b>.<br /><strong>Details</strong>: tr.im does not encode HTML entities of the referrer URLs<br />which can be easily manipulated by attackers, and can allow the injection of scripts.<br />This vulnerability can be used by an attacker to send tweets on behalf of its victims.<br />This vulnerability was submitted by <a href="http://skeptikal.org/" target="_blank">Mike Bailey</a>.<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB18_trim.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB18_trim.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vendor did not respond to any of the emails I sent during the past week - 0 twits.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-5388630817749936328?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/qPGNVkGhVcA" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-18-persistent-xss-vulnerability-in.htmltag:blogger.com,1999:blog-1546716157077615374.post-61725235523471536982009-07-17T22:08:00.005+03:002009-07-17T22:26:16.703+03:00MoTB #17: Persistent XSS vulnerability in mobypicture<strong>What is mobypicture<br /></strong>"Directly share your photos, text, audio and videos with all your friends on your favorite social sites: facebook, twitter, flickr, vimeo, and more!" (mobypicture <a target="_blank" href="http://www.mobypicture.com/">home page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>mobypicture can be used to send tweets by uploading new photos, or posting comments on existing photos.<br />mobypicture is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />Yet another Twitter photo sharing service. 27th place in the <a href="http://twitstat.com/twitterclientusers.html" target="_blank">most used twitter clients</a>, according to “TwitStats” - 3 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerability</strong>: Persistent Cross-Site in mobypicture picture view page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: mobypicture did not encode HTML entities of the uploaded picture details (title, description, etc.), which could have allowed the injection of scripts.<br />This vulnerability could have allowed an attacker to send tweets on behalf of its victims.<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB17_mobypicture.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB17_mobypicture.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerability was fixed 2 hours after it has been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-6172523552347153698?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/turmz5ZEHV4" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-17-persistent-xss-vulns-in.htmltag:blogger.com,1999:blog-1546716157077615374.post-25334482951000207202009-07-16T22:34:00.006+03:002009-07-16T23:22:55.473+03:00MoTB #16: HelloTxt Persistent XSS<strong>What is HelloTxt<br /></strong>"HelloTxt lets you update your status and read your friends' status across all main microblogging and social networks all at once." (HelloTxt <a target="_blank" href="http://hellotxt.com/about-us">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>HelloTxt can be used to send tweets to other Twitter users.<br />HelloTxt is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />16th place in the Top 100 Twitter services of <a href="http://momb.socio-kybernetics.net/labs/twitter-50" target="_blank">The Museum of Modern Betas Labs</a> - 4 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><br /><strong>Vulnerability</strong>: Persistent Cross-Site in HelloTxt profile page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: HelloTxt did not encode HTML entities in the username information updated by the user, which could have allowed the injection of scripts.<br />This vulnerability could have allowed an attacker to send tweets on behalf of its victims.<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB16_hellotxt.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB16_hellotxt.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerability was fixed 3 days after it has been reported. Moderate - 3 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-2533448295100020720?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/lO6xj2ZYvc8" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com1http://www.twitpwn.com/2009/07/motb-16-hellotxt-persistent-xss.htmltag:blogger.com,1999:blog-1546716157077615374.post-13838266841471437842009-07-16T20:33:00.009+03:002009-07-16T22:22:55.098+03:00MoTB Halftime Statistics ReportI've decided to gather and publish some statistics for the first 15 days of "Month of Twitter Bugs".<br />There were 35 vulnerabilities disclosed for 15 different Twitter 3rd-party services. <br />12 of the 35 vulnerabilities were 0days (11 of them disclosed in the blog comments), which means there was no patch available at the time they were disclosed. <br /><b>7 of those 0day vulnerabilities are still <span style="color:red">unpatched!</span></b><br />The average fix time for a vendor (not including bit.ly) is 18 hours. <br />The following pie chart shows the types of vulnerabilities found in MoTB.<br /><img src="http://www.twitpwn.com/motb/images/chart-half.png" width=395 height=198><br /><br /><br />As a bonus for the "Halftime statistics report", I would like to present a bug that was submitted by Laurent Gaffie: Twitter Search Web Server Information Leakage.<br />The Twitter search server did not block access to the ".htaccess" file, which revealed the configuration of the Twitter search web server, including a block list of IPs (spammers?).<br /><strong>Status:</strong> Fixed.<br /><strong>Screenshot:</strong><br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTBX_twitter_htaccess.png"><img border="0" src="http://twitpwn.com/motb/images/MoTBX_twitter_htaccess.png" width=341 height=247 /></a><br /><br /><br />While this bug is nothing compared to <a href="http://www.guardian.co.uk/media/pda/2009/jul/15/twitter-hacked-techcrunch-defends" target="_blank">the recent Twitter servers/employees hack disclosure</a>, it still shows that Twitter needs to <a href="http://static.twitter.com/jobvite_frame.html?c=q8X9VfwT&jvi=obPbVfwQ,Job" target="_blank">hire a security engineer</a>, and fast!<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-1383826684147143784?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/VAaXji01Zcs" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-halftime-statistics-report.htmltag:blogger.com,1999:blog-1546716157077615374.post-80062278837199981432009-07-15T21:09:00.005+03:002009-07-15T21:31:04.921+03:00MoTB #15: CSRF+XSS vulnerabilities in Slandr<strong>What is Slandr<br /></strong>"Slandr delivers an enhanced mobile site for twitter, with: replies, direct messaging, etc.." (Slandr <a target="_blank" href="http://m.slandr.net/about">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Slandr can be used to send tweets, direct messages and follow/unfollow other Twitter users.<br />Slandr is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />27th place in the <a href="http://twitstat.com/twitterclientusers.html" target="_blank">most used twitter clients</a>, according to “TwitStats” - 3 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerabilities</strong>: <br />1) Cross-Site Request Forgery in main update page<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The Slandr index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Slandr web application. <br />This vulnerability could have been used by an attacker to send tweets on behalf of its victims.<br /><br />2) Reflected POST Cross-Site in the Search page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The Slandr search page did not encode HTML entities in the "search" form field, which could have allowed the injection of scripts.<br />This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.<br /><strong>Proof-of-Concept</strong>: http://tweetmeme.com/search.php?for=%3C/title%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3Ctitle%3E<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB15_mslandr.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB15_mslandr.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vendor <a href="http://tumblr.slandr.net/post/141450624/hacking-slandr-xss-and-csrf-vulnerabilities-patched" target="_blank">have published a blog post</a> about these vulnerabilities. <br />The vulnerabilities were fixed 2 days after they have been reported. Good - 4 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-8006227883719998143?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/rtV2m28Ds7M" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com1http://www.twitpwn.com/2009/07/motb-15-csrfxss-vulnerabilities-in.htmltag:blogger.com,1999:blog-1546716157077615374.post-21798508548782002132009-07-14T20:29:00.002+03:002009-07-14T20:41:41.624+03:00MoTB #14: Reflected XSS in TweetMeme<strong>What is TweetMeme<br /></strong>"TweetMeme is a service which aggregates all the popular links on twitter to determine which links are popular. TweetMeme is able to categorize these links into categories and subcategories, making it easy to filter out the noise to find what your interested in." (TweetMeme <a target="_blank" href="http://tweetmeme.com/about">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>TweetMeme can be used to send new tweets and reply to other Twitter users.<br />TweetMeme is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate<br /></strong>6.5 Million unique visitors per month (<a href="http://siteanalytics.compete.com/tweetmeme.com/" target="_blank">According to Compete</a>) - 4.5 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit2.png" /><br /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the Search page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The TweetMeme search page did not encode HTML entities in the "for" variable, which could have allowed the injection of scripts.<br />The vulnerability was also submitted, and <a href="http://security-sh3ll.blogspot.com/2009/07/xss-flaws-and-redirect-on-tweetmeme-and.html" target="_blank">publicly disclosed</a> by d3v1l.<br />This vulnerability could have been used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://tweetmeme.com/search.php?for=%3C/title%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3Ctitle%3E<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB14_tweetmeme.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB14_tweetmeme.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />Vulnerability was fixed 2 hours after it has been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-2179850854878200213?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/REfXq5AxDBU" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com1http://www.twitpwn.com/2009/07/motb-14-reflected-xss-in-tweetmeme.htmltag:blogger.com,1999:blog-1546716157077615374.post-37180392274842597612009-07-13T20:09:00.004+03:002009-07-13T20:39:26.910+03:00MoTB #13: Reflected XSS in Brightkite<strong>What is Brightkite<br /></strong>"Brightkite is a location-based social network. In real time you can see where your friends are and what they're up to. Depending on your privacy settings you can also meet others nearby." (Brightkite <a target="_blank" href="http://brightkite.com/">home page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Brightkite can be used to send new tweets and reply to other Twitter users.<br />Brightkite is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate<br /></strong>16th place in the <a href="http://twitstat.com/twitterclientusers.html" target="_blank">most used twitter clients</a>, according to “TwitStats” - 4 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the "Person not found" page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The Brightkite "Person not found" page did not encode HTML entities in the people query variable, which could have allowed the injection of scripts.<br />This vulnerability could have been used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://brightkite.com/people/zxxx%22%3E%3Cbody%20onload=%22alert(%27xss%27)%22%3E<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB13_brightkite.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB13_brightkite.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />Vulnerability was fixed 1 hour after it has been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-3718039227484259761?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/6hgnvYaC9w0" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com2http://www.twitpwn.com/2009/07/motb-13-reflected-xss-in-brightkite.htmltag:blogger.com,1999:blog-1546716157077615374.post-4040581272563041122009-07-12T20:32:00.005+03:002009-07-12T20:57:10.621+03:00MoTB #12: Reflected XSS in TweetGrid<strong>What is TweetGrid <br /></strong>"TweetGrid is a powerful Twitter Search Dashboard that allows you to search for up to 9 different topics, events, converstations, hashtags, phrases, people, groups, etc in real-time. As new tweets are created, they are automatically updated in the grid. No need to refresh the page!" (TweetGrid <a target="_blank" href="http://tweetgrid.com/faq">FAQ page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>TweetGrid can be used to send new tweets and reply to other Twitter users.<br />TweetGrid is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate<br /></strong>28th place in the <a href="http://momb.socio-kybernetics.net/labs/twitter-50" target="_blank">Top 100 Twitter Services</a>, according to “The Museum of Modern Betas” - 3.5 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit2.png" /><br /><br /><br /><strong>Vulnerability</strong>: Reflected Cross-Site in the Search page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The TweetGrid search page did not encode HTML entities in the "q" variable, which could have allowed the injection of scripts.<br />This vulnerability could have been used by an attacker to send tweets on behalf of its victims.<br /><strong>Proof-of-Concept</strong>: http://tweetgrid.com/search?q=xxx%3C%2Ftitle%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB12_tweetgrid.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB12_tweetgrid.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />Vulnerability was fixed 1 hour after it has been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-404058127256304112?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/zHPs-mRsJz8" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com2http://www.twitpwn.com/2009/07/motb-12-reflected-xss-in-tweetgrid.htmltag:blogger.com,1999:blog-1546716157077615374.post-39750919576186844222009-07-11T20:18:00.005+03:002009-07-11T20:39:17.637+03:00MoTB #11: Twitturly Persistent XSS<strong>What is Twitturly <br /></strong>"Twitturly tracks the URLs flying around the Twitterverse and provides a quick, real-time view of what people are talking about on Twitter." (Twitturly <a target="_blank" href="http://twitturly.com/about/">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Twitturly can be used to send tweets to other Twitter users.<br />Twitturly is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />19th place in the Top 100 Twitter services of <a href="http://momb.socio-kybernetics.net/labs/twitter-50" target="_blank">The Museum of Modern Betas Labs</a> - 4 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><br /><strong>Vulnerability</strong>: Persistent Cross-Site in Twitturly URLs view page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: Twitturly did not encode HTML entities in the <b>un-shortened</b> URLs it displays, which could have allowed the injection of scripts.<br />This vulnerability could have allowed an attacker to send tweets on behalf of its victims.<br /><strong>Screenshot</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB11_twitturly.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB11_twitturly.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerability was fixed 2 hours after it has been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-3975091957618684422?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/m_ktR9zbGHA" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-11-twitturly-persistent-xss.htmltag:blogger.com,1999:blog-1546716157077615374.post-15603676709346450402009-07-10T19:09:00.006+03:002009-07-10T19:39:11.663+03:00MoTB #10: CSRF+XSS vulnerabilities in Twitiq<strong>What is Twitiq<br /></strong>"TwitIQ is an enhanced Twitter interface that provides insight into your Twitter stream and Twitter followers." (Twitiq <a target="_blank" href="http://www.twitiq.com/">home page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Twitiq can be used to send tweets, direct messages and follow/unfollow other Twitter users.<br />Twitiq is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong> <br />A new 3rd party service, which already gained 5K unique visitors per month (<a href="http://siteanalytics.compete.com/twitiq.com/?metric=uv" target="_blank">according to Compete</a>)- 1 twit<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><strong>Vulnerability</strong>: Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The Twitiq jsonp.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Twitiq web application. Also, the jsonp.php did not encode HTML entities in the "jcb" variable.<br />Both vulnerabilities could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of it's victims.<br /><strong>Proof of Concept</strong>: http://www.twitiq.com/jsonp.php?jcb=%3Cscript%3Ealert("xss")%3C%2Fscript%3E&action_jsonp=new_status&status=CSRF<br /><strong>Screenshots</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB10_twitiq.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB10_twitiq.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerabilities were fixed within 1 hour after they have been reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-1560367670934645040?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/wsX_GscV2n8" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com0http://www.twitpwn.com/2009/07/motb-10-csrfxss-vulnerabilities-in.htmltag:blogger.com,1999:blog-1546716157077615374.post-37568303934808338092009-07-09T21:29:00.005+03:002009-07-09T22:23:22.205+03:00MoTB #09: Reflected POST XSS vulnerability in Twellow<strong>What is Twellow<br /></strong>"From our home at Twellow headquarters, we're actively searching and categorizing millions of inter-personal exchanges available on the internet every day. Twellow.com is thereby able to assist you in finding real people who really matter. We're doing the hard work of sifting out people who can help bring your vision to reality, whatever that vision might be." (Twellow <a target="_blank" href="http://www.twellow.com/about.php">about page</a>)<br /><br /><br /><strong>Twitter effect<br /></strong>Twellow can be used to follow and unfollow other twitter users.<br />Twellow is using Username/Password authentication in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate<br /></strong>Indexing 6.2 million Twitter profiles, with over 175K unique visitors per month (<a target="_blank" href="http://siteanalytics.compete.com/twellow.com/?metric=uv">according to Compete</a>) - 4 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><br /><br /><br /><strong>Vulnerability</strong>: Reflected POST Cross-Site Scripting in the Contact page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: Twellow does not encode HTML entities in the form fields of the Contact page, which can allow the injection of scripts by submitting a rouge HTML form to the page. <br />This vulnerability could have allowed an attacker to automatically follow or unfollow other twitter users on behalf of its victims.<br /><strong>Screenshots</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB9_twellow.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB9_twellow.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerabilities were fixed 1 day after they were reported, although it took them 4 days to response to the initial email. Good - 4 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-3756830393480833809?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/7ZNP9LZ4SAU" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com2http://www.twitpwn.com/2009/07/motb-9-reflected-post-xss-vulnerability.htmltag:blogger.com,1999:blog-1546716157077615374.post-68377801540928258582009-07-08T20:25:00.006+03:002009-07-08T20:51:28.934+03:00MoTB #08: DOM Based XSS in Twitterfall<strong>What is Twitterfall<br /></strong>"Twitterfall is a way of viewing the latest 'tweets' of upcoming trends and custom searches on the micro-blogging site Twitter. Updates fall from the top of the page in near-realtime.." (Twitterfall <a target="_blank" href="http://twitterfall.com/">home page</a>)<br /><br /><br /><strong>Twitter affect<br /></strong>Twitterfall can be used to send tweets, replies or follow other twitter users.<br />Twitterfall is using OAuth authentication method in order to utilize the Twitter API.<br /><br /><br /><strong>Popularity rate</strong><br />22nd place <a href="http://momb.socio-kybernetics.net/labs/twitter-50" target="_blank">according to "The Museum of Modern Betas"</a>. 18th place <a href="http://www.techcrunch.com/2009/02/19/the-top-20-twitter-applications" target="_blank">according to compete</a> - 3.5 twits<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit2.png" /><br /><br /><br /><strong>Vulnerability</strong>: DOM Based Cross-Site Scripting in the main page.<br /><strong>Status</strong>: Patched.<br /><strong>Details</strong>: The Twitterfall main page did not encode HTML entities in the "trend" variable before evaluating it in JavaScript. This could allow the injection of scripts, which could have been used by an attacker to send tweets on behalf of its victims. The older site of Twitterfall (old.twitterfall.com) was also vulnerable to the same issue.<br /><strong>Proof-of-Concepts</strong>: <br />http://www.twitterfall.com/?trend=%3Cimg/src%3D"."/onerror%3D"alert('xss')"%3E<br />http://old.twitterfall.com/?trend=%3Cscript%3Ealert("XSS")=%3C/script%3E<br /><strong>Screenshots</strong>:<br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB8_twitterfall_1.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB8_twitterfall_1.png" width=341 height=247 /></a><br /><a target="_blank" href="http://twitpwn.com/motb/images/MoTB8_twitterfall_2.png"><img border="0" src="http://twitpwn.com/motb/images/MoTB8_twitterfall_2.png" width=341 height=247 /></a><br /><br /><br /><strong>Vendor response rate</strong><br />The vulnerabilities were fixed 3 hours after they were reported. Excellent - 5 twits.<br /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><img src="http://twitpwn.com/motb/images/twit1.png" /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1546716157077615374-6837780154092825858?l=www.twitpwn.com'/></div><img src="http://feeds.feedburner.com/~r/Twitpwn/~4/w7vsoIHBJAc" height="1" width="1" alt=""/>avivrahttp://www.blogger.com/profile/07588733978066155038noreply@blogger.com1http://www.twitpwn.com/2009/07/motb-08-dom-based-xss-in-twitterfall.html